diff --git a/haproxy-1.6.0-ssl-098.patch b/haproxy-1.6.0-ssl-098.patch new file mode 100644 index 0000000..7adc0f4 --- /dev/null +++ b/haproxy-1.6.0-ssl-098.patch @@ -0,0 +1,52 @@ +From 76e79a8c8a98474f3caf701b75370f50729516b2 Mon Sep 17 00:00:00 2001 +From: Christopher Faulet +Date: Mon, 19 Oct 2015 13:59:24 +0200 +Subject: [PATCH 2/2] BUILD: ssl: fix build error introduced in commit 7969a3 + with OpenSSL < 1.0.0 + +The function 'EVP_PKEY_get_default_digest_nid()' was introduced in OpenSSL +1.0.0. So for older version of OpenSSL, compiled with the SNI support, the +HAProxy compilation fails with the following error: + +src/ssl_sock.c: In function 'ssl_sock_do_create_cert': +src/ssl_sock.c:1096:7: warning: implicit declaration of function 'EVP_PKEY_get_default_digest_nid' + if (EVP_PKEY_get_default_digest_nid(capkey, &nid) <= 0) +[...] +src/ssl_sock.c:1096: undefined reference to `EVP_PKEY_get_default_digest_nid' +collect2: error: ld returned 1 exit status +Makefile:760: recipe for target 'haproxy' failed +make: *** [haproxy] Error 1 + +So we must add a #ifdef to check the OpenSSL version (>= 1.0.0) to use this +function. It is used to get default signature digest associated to the private +key used to sign generated X509 certificates. It is called when the private key +differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. It should be enough for +most of cases. +--- + src/ssl_sock.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/ssl_sock.c b/src/ssl_sock.c +index 35a3edf..7c82464 100644 +--- a/src/ssl_sock.c ++++ b/src/ssl_sock.c +@@ -1091,12 +1091,16 @@ ssl_sock_do_create_cert(const char *servername, unsigned int serial, + else if (EVP_PKEY_type (capkey->type) == EVP_PKEY_EC) + digest = EVP_sha256(); + else { ++#if (OPENSSL_VERSION_NUMBER >= 0x1000000fL) + int nid; + + if (EVP_PKEY_get_default_digest_nid(capkey, &nid) <= 0) + goto mkcert_error; + if (!(digest = EVP_get_digestbynid(nid))) + goto mkcert_error; ++#else ++ goto mkcert_error; ++#endif + } + + if (!(X509_sign(newcrt, capkey, digest))) +-- +2.4.3 + diff --git a/haproxy.changes b/haproxy.changes index af11f54..07c84dd 100644 --- a/haproxy.changes +++ b/haproxy.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Oct 19 16:15:57 UTC 2015 - mrueckert@suse.de + +- add haproxy-1.6.0-ssl-098.patch: + fix building on openssl 0.9.8 + ------------------------------------------------------------------- Fri Oct 16 17:16:40 UTC 2015 - mrueckert@suse.de diff --git a/haproxy.spec b/haproxy.spec index 129ff4a..33a1433 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -72,6 +72,7 @@ Patch1: haproxy-1.6.0_config_haproxy_user.patch Patch2: haproxy-1.6.0-makefile_lib.patch Patch3: haproxy-1.6.0-sec-options.patch Patch4: haproxy-1.6.0-ssl.crash.patch +Patch5: haproxy-1.6.0-ssl-098.patch # Source99: haproxy-rpmlintrc # @@ -106,6 +107,7 @@ the most work done from every CPU cycle. %patch2 %patch3 %patch4 -p1 +%patch5 -p1 %build %{__make} \